Eircom, Meteor charged over breach

Telecoms companies Eircom and Meteor have been ordered to pay €15,000 each to charity after the details of over 10,000 customers were compromised when two unencrypted laptops were stolen.

The companies were prosecuted by the Data Protection Commissioner before Dublin District Court today in relation to the data breach involving two laptops stolen from Eircom’s offices at Parkwest in Dublin between December 28th, 2011 and January 2nd, 2012.

The court heard information on the computers included customer details such as names and addresses and copies of proof of identity documents such as driving licences, passwords and utility bills. This had potentially exposed them to identity theft.

Gardaí were informed of the theft on January 4th, but the commissioner’s office was not notified until February 2nd. A large number of the customers affected were not notified of the theft of the machines containing their personal information until March – more than two months after the event.

Each company pleaded guilty to three charges relating to failure to take appropriate security measures to protect the personal information on the laptops, of failing to notify the commissioner of the breach without undue delay, and of failing to notify their customers of the theft of their information without undue delay.

An initial breach report to the commissioner’s office in February indicated that the number of affected customers was 454 in the case of Meteor and 6,597 in the case of Eircom’s Emobile customers. Following “intensive” contact between the commissioner and the companies, an updated breach report submitted on March 15th revealed that the numbers were greater than originally thought.

The revised figures were 3,944 Meteor customers and 6,295 Emobile customers affected by the data breach.

In relation to 142 of the Emobile customers, the personal data in question was in the form of customer application forms including proof of identity, eg copy of passport, driving licence, national identification, bank account/credit card details, financial statements and utility bills.

The other 6,153 cases contained details such as name, address, telephone and account number.

Of the 3,944 Meteor customers affected, data held on 1,244 of them included similar proof-of-identity documents. The other 2,700 cases contained details such as name, address, telephone and account number.

The court heard that some 160 of more than 3,000 laptops in the Eircom companies had been found not to be encrypted during the investigation. This had since been rectified.

Assistant data protection commissioner Tony Delaney told the court the laptops had been password protected but not encrypted, which was a “key failing” by the companies.

Mr Delaney said this was a “basic requirement” to protect the personal information on the machines.

“If the laptops had been encrypted, it would have been impossible for anybody to make out or to see these proof of identity documents.”

Mr Delaney said the commissioner’s office had asked for an explanation of the delay in notifying his office and the companies had said it was due to the complex nature of the inquiry and the fact they had to reconstruct what information had been on the computers.

He said knowing their personal information had been compromised would always be a serious cause of distress and worry for those customers affected.

Mr Delaney said the companies had admitted the delay in informing customers and had worked closely with the commissioner’s office afterwards to ensure that both customers and banks were notified.

Judge John O’Neill said he did not understand the reason for the delay in reporting the data breach to the commissioner. He said that if the companies had done this earlier, they would have had “an ally in their corner” to help them deal with the matter.

He noted the commissioner’s code of practice regarding such breaches had been ignored by the companies.

The court heard that neither company had previous convictions for a data breach.

Judge O’Neill said the companies had “come in with their hands up” and they had not attempted to minimise their part in the offences. He said, however, they should have notified the commissioner earlier and “gone about their business”.

Customers had not suffered loss so far, but that was not to say they would not suffer a loss in the future due to the theft of their data.

Judge O’Neill said he believed a €15,000 donation to charity by each company would be appropriate in the circumstances.

He ordered that Eircom pay €15,000 to the Laura Lynn Foundation and that Meteor pay the same sum to Pieta House by September 30th. If those amounts were paid by that date he would apply the Probation Act in relation to all charges.

Speaking after the case, deputy data commissioner Gary Davis said the judge had given a “sharp rebuke” to the companies and he had clearly been concerned about the delay in informing people about the breach.

“While he ordered probation, I think it’s clear to all that the matter was taken extremely seriously.”

Mr Davis said he did not believe such failure to encrypt laptops was any longer widespread. “The dangers still remain for potential data breaches and we are still receiving them on an ongoing basis. This is the one area of law now where we can prosecute companies in the telecommunications sector or internet service providers," he said.

“All other entities are outside [the scope of this legislation] right now, but that’s about to be addressed under European law whereby it will apply across the board, where the fines we can levy will be up to €1 million.”